Trusted Registration/Revocation Authority

Why we need it?

The Trusted Registration/Revocation Authority (Trusted Authority – TA) in short) is responsible for registering new users to the ASCLEPIOS ecosystem, particularly to a Keycloak Server (via the Keycloak Admin API). It is also used to revoke access from users who are no longer allowed to access the ASCLEPIOS services that are protected by the Keycloak user authentication and to edit the attributes of existing users. Finally, it ensures that all security information across the ASCLEPIOS system is compliant with the latest user attributes in order to allow for real-time security changes to take effect immediately.

How does it work?

A new user can enter her/his details in the registration form of the Trusted Authority, along with extra user attributes that could be relevant for her/his profile. The Trusted Authority calculates the user’s CP-ABE Key, based on the user attributes, and stores it, along with her/his other details, as a new user in Keycloak.

The user now can be authenticated through Keycloak, using her/his new credentials and can retrieve her/his CP-ABE key. When editing attributes of existing users, the CP-ABE key is constantly recalculated to match the latest changes in the attributes. This process ensures that any encryption or decryption action is performed utilizing the most up-to-date information regarding the user.